[Opendnssec-user] TTL for NS records at the parent should match the DS TTL

Tue, 10 Feb 2015 10:29:50 -0800 

Hi --

I recently implemented DNSSEC some of my domains (in .net and .de). For getting 
key management done I installed OpenDNSSEC. 

As far as I and all those available services like 
http://www.nabber.org/projects/dnscheck/ can tell, all my domains are 
effectively secured, now. 

There is on issue left that I could not solve on my own, yet, and that is the 
complaint from the nabber.org tool:

|       example.net.    172800  IN      NS      ns.example.net.
|       example.net.    86400   IN      DS      12345 8 1 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|               C
|       example.net.    172800  IN      NS      sns.example.net.
|       example.net.    86400   IN      DS      12345 8 1 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|               C
|       According to RFC 4035, the TTL for NS records at the parent should 
match the DS TTL.

Yes, and I can confirm that complaint by drill and alike, e.g:

|       drill -D example.net @ @a.gtld-servers.net
|       ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 35135
|       ;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6 
|       ;; QUESTION SECTION:
|       ;; example.net. IN      NS
|
|       ;; ANSWER SECTION:
|
|       ;; AUTHORITY SECTION:
|       example.net.    172800  IN      NS      ns.example.net.
|       example.net.    172800  IN      NS      sns.example.net.
|       example.net.    86400   IN      DS      12345 8 1 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

If I do understand the documentation of 
https://wiki.opendnssec.org/display/DOCS/kasp.xml correctly, then I should be 
able to set those TTL at the parent to my needs. Those were the default 
settings in my kasp.xml (policy default, and that's the one I am using for my 
domains):

|       <Parent>
|           <PropagationDelay>PT9999S</PropagationDelay>
|           <DS>
|               <TTL>PT3600S</TTL>
|           </DS>
|           <SOA>
|               <TTL>PT172800S</TTL>
|               <Minimum>PT10800S</Minimum>
|           </SOA>
|       </Parent>

Hmm, DS 3600 seconds versus 86400? Should I set it to PT172800S?

Must I just add an additional <NS>...</NS> section?
Shall I ignore those differences?
I cannot find 86400 in my kasp.xml anywhere?

I would very much appreciate some input/help from more experienced users of 
OpenDNSSEC than I am.

Thanks in advance and with kind regards,
Michael

P.S. If it is needed: I am running a hidden NSD master --> OpenDNSSEC signer 
--> 2 NSD slaves in FreeBSD service jails, and UNBOUND as recursive resolvers

_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to